security

问题 My web application have a continuously running service to send a report to a ftp server, the file need to be encrypted by using a Public Key. Thus my question is where should I store the Public Key? I only have one Public Key so using an advanced Key Store seems to be overkill? Should I just manually create a folder on the server and store it in there? 回答1: Storage of the public key (or more likely a certificate containing it) isn't the part that matters. What matters is the location of the

问题 I am allowing users to upload photos like photo albums, and also attach files (documents for now) as mail attachments. So i assume I need some anti virus/security tool in place to scan the files first in case people upload infected stuff. So two questions: 1) Are there any 'free' or open source tools for this I can use or integrate into my environment: codeignitor php? 2) How to secure the upload area from rest of the system? Say the virus scanner fails to catch a virus and it is uploaded,

问题 I am allowing users to upload photos like photo albums, and also attach files (documents for now) as mail attachments. So i assume I need some anti virus/security tool in place to scan the files first in case people upload infected stuff. So two questions: 1) Are there any 'free' or open source tools for this I can use or integrate into my environment: codeignitor php? 2) How to secure the upload area from rest of the system? Say the virus scanner fails to catch a virus and it is uploaded,

问题 I was going to expose a port for remote debugging of Java-based web service over the internet, but thinking twice I realised that it has no any authentification. Theoretically, it seems to be possible to write a tool, that attaches to remote debugger port, and executes arbitrary system commands via Java API. Or modifies/dumps database, and so on. At least this exploit seems to be the case http://securityaffairs.co/wordpress/36394/hacking/paypal-remote-code-execution.html I don't remember

问题 I was going to expose a port for remote debugging of Java-based web service over the internet, but thinking twice I realised that it has no any authentification. Theoretically, it seems to be possible to write a tool, that attaches to remote debugger port, and executes arbitrary system commands via Java API. Or modifies/dumps database, and so on. At least this exploit seems to be the case http://securityaffairs.co/wordpress/36394/hacking/paypal-remote-code-execution.html I don't remember

问题 I have had this discussion a couple of times in my career. In my view it is perfectly okay to expose the ids that are stored in the database to the client in your REST API response. But some people I've worked with think this is really one of the first lesson in security: "Never expose your database IDs to the client." Then they come with all kind of complexity to avoid this. For example, in one job I had to hash every ID in my rest response, and then unhash all the ids in the request. Now in

问题 I was thinking about security for my REST web Service API, and decided to take a look at others large services and how they do it. As an example I decided to study Twitter's OAuth. After reading beginners guide I'm a little be confused and shocked. As I understood it's Service provider responsibility to authenticate user and to show User what kind of access consumer is demanding (for example it want's read only access to specific resource). But I saw service providers that doesn't inform user

问题 I was thinking about security for my REST web Service API, and decided to take a look at others large services and how they do it. As an example I decided to study Twitter's OAuth. After reading beginners guide I'm a little be confused and shocked. As I understood it's Service provider responsibility to authenticate user and to show User what kind of access consumer is demanding (for example it want's read only access to specific resource). But I saw service providers that doesn't inform user

问题 I was thinking about security for my REST web Service API, and decided to take a look at others large services and how they do it. As an example I decided to study Twitter's OAuth. After reading beginners guide I'm a little be confused and shocked. As I understood it's Service provider responsibility to authenticate user and to show User what kind of access consumer is demanding (for example it want's read only access to specific resource). But I saw service providers that doesn't inform user

问题 I have An Asp.net MVC Application With VS.Net2013 in my webconfige file i have connection string Section like this: <connectionStrings> <add name="ConnectStrNL" connectionString="server=192.168.0.71\ins1;database=FNHProvider;MultipleActiveResultSets=true;persist security info=True;User ID=general;Password=123;" /> <add name="connectionStringGeneral" connectionString="server=192.168.0.254;database=NFS;MultipleActiveResultSets=true;persist security info=True;User ID=General;Password=*******;" /